Blockchain security firm CertiK confirmed that it was behind the discovery of a critical vulnerability in crypto exchange Kraken’s deposit system and made public its account of the events following allegations of extortion by the exchange.
The security company also alleged that Kraken threatened its employees on June 18 and demanded reimbursement of a “mismatched” amount within an unreasonable amount of time without providing a relevant wallet address.
CertiK denied the extortion allegations and said it would transfer the money used for its “white-hat testing” back to the wallet address it has on hand, as Kraken had not provided a new address. The company said:
“Since Kraken did not provide refund addresses and the requested amount did not match, we will transfer the money based on our information to an account that Kraken has access to.”
CertiK’s side
CertiK said the investigation began on June 5, when investigators discovered an issue in Kraken’s deposit system that failed to distinguish between different internal transfer statuses.
This led to a deeper investigation into whether a malicious actor could fabricate a deposit transaction and withdraw fabricated funds. The company said the tests were also intended to determine whether a large withdrawal request would trigger risk checks.
CertiK’s tests showed that millions of dollars could be deposited into each Kraken account, and that manufactured crypto worth more than $1 million could be withdrawn and converted into valid cryptos. The company said no alerts were triggered during the multi-day test period and that Kraken only responded and locked the test accounts days after it reported the incident.
Despite initial successful communication and steps to identify and resolve the vulnerability, the situation deteriorated, leading to CertiK’s public disclosure.
The timeline of events started with the initial discovery on June 5 and included major tests such as a large withdrawal of over 90,000 Matic on June 7 and additional large deposits and withdrawals in the following days.
CertiK reported its findings to Kraken on June 10, and on June 12, Kraken confirmed and fixed the critical vulnerability. However, the situation escalated on June 18, when Kraken allegedly threatened a CertiK employee and demanded a refund without providing any addresses.
Accusations of extortion
Kraken’s Chief Security Officer Nick Percoco revealed on June 19 that nearly $3 million was taken from the wallet due to a bug that allowed anyone to make a deposit on the platform and receive the funds without completing the transaction.
He revealed that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug in its financing system. This flaw allowed malicious actors to artificially inflate their account balances.
While fixing the vulnerability, Kraken discovered that three accounts had exploited this flaw within a few days, draining almost $3 million from Kraken’s coffers. The amount is several times higher than was necessary to prove that the vulnerability exists.
The exchange said the researchers declined the request to return the money and provide data in accordance with the usual bug bounty programs, including “a full record of their activities, a proof of concept used to investigate the on-chain create activity.”
Instead, the researchers scheduled meetings between the exchange and CertiK’s business department to discuss what the reward should be worth based on the damage it would have caused had it not been made public.
Percoco condemned the investigators’ demands for a speculative amount for the possible damages, calling the actions unethical and criminal.